Updated 7/13/2025
To disable imager telemetry, open the imager, and hit "Ctl-Shift-X" to reviel the hidden dialog box. Click on options tab, and uncheck the telemetry radio button.
Surprisingly, this is not global. You have do this for each user.
To disable IPv6, add the following to /firmware/boot/cmdline.txt [1][2]:
ipv6.disable=1
Alternately, the Debian way is to add the following to etc/sysctl.conf [1][2]
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1
If you disable ipv6 then in /etc/wayvnc/config you "must" change the line "address=::" to "address=0.0.0.0" [3]. This applies even if you or not using vnc. Without doing tis your Pi will not shutdown correctly.
To disable WiFi and/or Bluetooth on the Raspberry Pi, add the following at the end of /boot/firmware/config.txt [4][5][6]:
dtoverlay=disable-wifi
dtoverlay=disable-bt
If you do not need mDNS, remove "avahi" [7]:
sudo apt remove --purge avahi-daemon
sudo apt autoremove --purge
Warning if you need to communicte with an Apple device via Bonjour then do not remove the avahi-daemon.
You can disable ntp with the following command:[8][9]
sudo timedatectl set-ntp false
However, I believe the current version of the Advance Package Tool (APT) uses the ntp to synchronize the clock in order to update packages.
The best way to harden a Raspberry Pi is with nftables, but first you have to enable them:
sudo systemctl enable nftables
Then you write tables that contains "chains" and the chains contain "rules". This is behond the scope of this page, but these is a sample nftable file at the end of this page.
To remove Google's Chromium browser:
sudo apt remove --purge chromium
Ironicaly this leaves behind chromium-common and other packages. To remove them:
sudo apt autoremove --purge
In the search box type: about:config
Click, accept the risk and continue
Search for an toggle the following to false:
| network.captive-portal-service-enabled | false |
| network.connectivity-service-enabled | false |
| media.peerconnectection.enabled | false |
| app.normandy.enabled | false |
Unforntuately, you need to this for every user.
To revent NordVPN from collecting data:
nordvpn set analytics disabled
All your dns quiries should go through NordVPN's secure tunnel, but just in case, you can manually set your dns servers to NordVPN DNS servers.
According to Rob Braxman Tech, Meta (Facebook), collects MAC addresses vi bluetooth [1].
To disable bluetooth services:
sudo systemctl disable bluetooth.services
You can also prevent Bluetooth modules from loading by adding the following to /etc/modprobe.d/blacklist.conf
blacklist bluetooth
blacklist btusb
#!/usr/bin/nft -f
# lockdown4a.nft
# Last Updated on 7/1i/2025
#
# Add use NordVPN DNS Servers
#
# The NetBIOS may be need for Samba File Sharring but I want to block here!
table ip fb {
set update_debian {
typeof ip daddr
elements = { 151.101.2.132, 151.101.66.132, 151.101.130.132,
151.101.194.132, 146.75.94.132, 199.232.66.132,
151.101.46.132, 146.75.126.132, 199.232.90.132,
151.101.18.132, 146.75.106.132, 151.101.22.132,
151.101.114.132, 199.232.98.132, 199.232.38.132,
146.75.42.132, 151.101.162.132, 151.101.202.132,
146.75.78.132, 151.101.134.132, 151.101.14.132,
151.101.74.132
}
}
set update_pi {
typeof ip daddr
elements = { 176.126.240.167, 176.126.243.6, 46.235.231.151,
46.235.231.111, 93.93.135.118, 93.93.135.141,
93.93.135.117, 176.126.240.86, 176.126.240.84,
46.235.231.145, 176.126.243.5, 176.126.243.3
}
}
set update_nordvpn {
typeof ip daddr
elements = { 104.19.159.190, 104.16.208.203 }
}
set input_dropped_udp { typeof ip saddr . udp sport . ip daddr . udp dport; }
set input_dropped_tcp { typeof ip saddr . tcp sport . ip daddr . tcp dport; }
set input_dropped_dropbox { typeof ip saddr . udp sport . ip daddr . udp dport; }
set input_dropped_scansnap { typeof ip saddr . udp sport . ip daddr . udp dport; }
set input_dropped_mDNS { typeof ip saddr . udp sport . ip daddr . udp dport; }
set input_samba_NetBIOS { typeof ip saddr . udp sport . ip daddr . udp dport; }
set output_dropped_ntp { typeof ip saddr . udp sport . ip daddr . udp dport; }
set output_dropped_mDNS { typeof ip saddr . udp sport . ip daddr . udp dport; }
set dropped_tcp_http { typeof ip saddr . tcp sport . ip daddr . tcp dport; }
set dropped_udp_http { typeof ip saddr . udp sport . ip daddr . udp dport; }
set dropped_input_tcp { typeof ip saddr . tcp sport . ip daddr . tcp dport; }
set output_https_tcp { typeof ip saddr . tcp sport . ip daddr . tcp dport; }
set unknown_protocol { typeof ip saddr . tcp sport . ip daddr . tcp dport; }
set unknown_tcp { typeof ip saddr . tcp sport . ip daddr . tcp dport; }
chain INPUT {
type filter hook input priority filter; policy drop;
meta iif lo counter accept
# allow vnc ???
ct state established,related counter accept
ct state invalid counter drop
tcp dport {5800, 5900, 5901 } counter accept
udp dport {5800, 5900, 5901 } counter accept
tcp sport {5800, 5900, 5901 } counter accept
udp sport {5800, 5900, 5901 } counter accept
udp dport 17500 counter drop
udp dport 52217 counter drop
udp dport 5353 add @input_dropped_mDNS { ip saddr . udp sport . ip daddr . udp dport } counter drop
udp dport {137,138} add @input_samba_NetBIOS { ip saddr . udp sport . ip daddr . udp dport } counter accept
ip protocol tcp add @input_dropped_tcp { ip saddr . tcp sport . ip daddr . tcp dport } counter drop
ip protocol udp add @input_dropped_udp { ip saddr . udp sport . ip daddr . udp dport } counter drop
ip protocol icmp counter drop
counter drop
} # Close INPUT chain
chain OUTPUT {
type filter hook output priority filter; policy drop;
# Accept List
# Debian Updates
tcp dport 80 ip daddr @update_debian counter accept
# Raspberry Pi Updates
tcp dport 80 ip daddr @update_pi counter accept
# NordVPN Updates
tcp dport 80 ip daddr @update_nordvpn counter accept
# Nordvpn-NordLynx
udp dport 51820 counter accept
tcp dport 8884 counter accept # Require but no documented
# NordVPN OpenVPN
udp dport 1194 counter accept
udp sport 1194 counter accept
# Network Time Protocol
udp dport 123 counter accept
# Secure Shell Protocol
tcp dport 22 counter accept
udp dport 22 counter accept
# NetBIOS
tcp dport 139 counter accept
# SMB Protocol
tcp dport 445 counter accept
# VNC Protocol
tcp dport {5800, 5900, 5901 } counter accept
udp dport {5800, 5900, 5901 } counter accept
# tcp sport {5800, 5900, 5901 } counter accept
# udp sport {5800, 5900, 5901 } counter accept
# Domain Name Servers
udp dport 53 counter accept
tcp dport 53 counter accept
# Should ct state new be added to the https below?
#
# accept https
tcp dport 443 counter add @output_https_tcp \
{ ip saddr . tcp sport . ip daddr . tcp dport } accept
udp dport 443 counter accept
# Local Traffic
oif lo counter accept
iif lo counter accept
# Establishd Traffic
ct state established, related counter accept
# Dropped List:
# ICMP Protocol
ip protocol icmp counter accept
# Multicast DNS
udp dport 5353 add @output_dropped_mDNS \
{ip saddr . udp sport . ip daddr . udp dport} \
counter accept
# http traffic
tcp dport 80 add @dropped_tcp_http \
{ ip saddr . tcp sport . ip daddr . tcp dport } \
counter drop
udp dport 80 add @dropped_udp_http \
{ ip saddr . udp sport . ip daddr . udp dport } \
counter drop
# Unknown https traffic
udp dport {1-1023} counter drop
udp dport {1024-65535} counter drop
tcp dport {1-1023} add @unknown_tcp {ip saddr . tcp sport . ip daddr . tcp dport } counter drop
tcp dport {1024-65535} add @unknown_protocol {ip saddr . tcp sport . ip daddr . tcp dport} counter drop
# Everything Else
counter drop
} # close OUPUT chain
}
